The present disclosure relates generally to communications traffic analysis, and more particularly to decryption of encrypted SSL data from packet traces without using private keys or a proxy.
Network traffic analysis allows people to see how traffic in a network is distributed. Changes to data delivery routes can be based on a traffic analysis to lower delays in transmitting the data from one point to another. Network traffic analysis is harder to perform when network traffic is encrypted using one of various protocols.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that are used to secure communications over networks, such as the internet. SSL and TLS are used by critical application-layer protocols carrying world wide web traffic such as Hypertext Transfer Protocol Secure (HTTPS) and SPDY. In order for network traffic using these protocols to be analyzed, the communications must be decrypted. Various attempts to analyze communication traffic by decrypting SSL and TLS communications use additional infrastructures. The use of additional infrastructures can result in changes to a traffic pattern and content due to placement of additional devices, such as a proxy, in series with network traffic. For example, instead of network traffic traveling from point A to point B, the traffic travels from point A to a proxy and then from the proxy to point B. In addition to the use of an additional node (i.e., the proxy), data must also be addressed to not only point B but also to the proxy. The use of additional infrastructure may also result in incurring additional overhead due to the use of additional devices, such as a proxy.
Various methods have addressed the need to decrypt SSL/TLS traffic in various ways. One method ignores the content SSL/TLS traffic in packet level traces. In another method, some tools use servers' private keys for decryption. However, obtaining private keys of commercial servers is usually very difficult. A third method redirects traffic to a man-in-the-middle (MITM) SSL proxy. HTTPS requests are then terminated by the proxy and resent to a remote web server (e.g., an intended destination) in a new transmission control protocol (TCP) connection. This method requires a certificate of the proxy to be installed on a user device which transmits information via the proxy. To decrypt the SSL/TLS traffic, the private key of the proxy is provided to a program that can then decrypt the traffic transmitted through the proxy. This MITM approach requires additional infrastructures, incurs overhead due to the proxy, and changes the traffic pattern and content of communications.